Mobile Device and Method to Monitor a Baseband Processor in Relation to the Actions on an Applicaton Processor

1. A method of detecting an attack on a baseband processor of a mobile device comprising the baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps of: a) monitoring by a baseband monitor component the behavior of the baseband processor by using features available on the mobile device, b) monitoring by an application monitor component the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) correlating by an evaluator component the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) initiating by a defense component countermeasures designed to ward off the suspicious baseband activities, wherein initiating includes one or more of resetting the baseband processor, resetting the mobile device or forcing all mobile device connections to be dropped.

2. A method of detecting an attack on a baseband processor of a mobile device comprising the baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps of: a) monitoring by a baseband monitor component the behavior of the baseband processor by using features available on the mobile device, b) monitoring by an application monitor component the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user, c) correlating by an evaluator component the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) initiating by a defense component countermeasures designed to ward off the suspicious baseband activities, wherein the monitoring by the baseband monitor further comprises one or more of the following: collecting information on power consumption of individual hardware components of the mobile device, collecting information on audio path configuration, collecting information on the response time to normal service requests from the application processor to the baseband processor, monitoring of communication interfaces or memory areas shared between the application processor and the baseband processor for atypical communication patterns, monitoring of communication interfaces and memory areas shared between the application processor and the baseband for patterns associated with exploit attempts, or collecting information obtained from the baseband processor's debugging output.

3. The method according to claim 2 , wherein the monitoring of communication interfaces or memory areas shared between the application processor and the baseband processor for patterns associated with exploit attempts, comprises one or more of the following: Monitoring malformated messages or data structures or very large data blocks; Monitoring the usage of procedures, functions, features or messages not seen in normal operations; or Monitoring attempts to access memory areas not consistent with normal operations.

4. The method according claim 2 , wherein the collecting of information obtained from the baseband processor's debugging output comprises one or more of the following: timing and volume of voice call setup, timing and volume of data transmission, timing and volume of SMS message transmission, or timing and sequence of establishment of traffic channels.

5. A method of detecting an attack on a baseband processor of a mobile device comprising the baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps of: a) monitoring by a baseband monitor component the behavior of the baseband processor by using features available on the mobile device, b) monitoring by an application monitor component the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) correlating by an evaluator component the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) initiating by a defense component countermeasures designed to ward off the suspicious baseband activities, wherein the evaluator component flags the absence of standard A5/1, A5/2, or A5/3 link encryption on GSM or 3G/UMTS/W-CDMA mobile networks which leads the defense component to issue a warning to the mobile device's user that link encryption has been deactivated.

6. A method of detecting an attack on a baseband processor of a mobile device comprising the baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps of: a) monitoring by a baseband monitor component the behavior of the baseband processor by using features available on the mobile device, b) monitoring by an application monitor component the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) correlating by an evaluator component the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) initiating by a defense component countermeasures designed to ward off the suspicious baseband activities, wherein the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network and the defense component warns the user of the mobile device that a rogue base station has been detected and/or the defense component shuts down the baseband processor in order to prevent exploitation.

7. The method according to claim 6 wherein the evaluator component flags the presence of a rogue base station that does not belong to the legitimate mobile network using one or more of the following: cell identification, distance, and signal strength, signal growth/attenuation, forced network change from 3G to 2G network, unusual changes in the list of neighboring cells, unusual configuration parameters of the mobile base station designed to make it appear more ‘attractive’ to the targeted mobile device(s), or network parameters not consistent with the mobile device's location and/or the currently selected mobile network operator.

8. A method of detecting an attack on a baseband processor of a mobile device comprising the baseband processor and an application processor, which may or ma not be integrated in a single chip, comprising the steps of: a) monitoring by a baseband monitor component the behavior of the baseband processor by using features available on the mobile device, b) monitoring by an application monitor component the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) correlating by an evaluator component the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) initiating by a defense component countermeasures designed to ward off the suspicious baseband activities, wherein the evaluator component categorizes activities on the baseband processor in different classes ranging from normal/inconspicuous to highly suspicious.

9. The method according to claim 8 , wherein the evaluator plots events in a diagram that shows baseband activity and suspect baseband activities over time, wherein the diagram is displayed on either the mobile device's screen or an external display device.

10. The method according to claim 9 , wherein the evaluator component compiles the suspect baseband activities over time in one single integrated graphical representation of the overall threat level with respect to the mobile device's baseband processor or in the form of a ‘threat level thermometer’ that is displayed on either the mobile device's screen or an external display device.

11. A method of detecting an attack on a baseband processor of a mobile device comprising the baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps of: a) monitoring by a baseband monitor component the behavior of the baseband processor by using features available on the mobile device, b) monitoring by an application monitor component the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) correlating by an evaluator component the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) initiating by a defense component countermeasures designed to ward off the suspicious baseband activities, wherein the evaluator component records baseband activity in a log file that can be subsequently read and combined with log files from other mobile devices by a reporter component in order to arrive at an overview of the aggregated threat level to which multiple mobile devices are subject to.

12. A method of detecting an attack on a baseband processor of a mobile device comprising, the baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps of: a) monitoring by a baseband monitor component the behavior of the baseband processor by using features available on the mobile device, b) monitoring by an application monitor component the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) correlating by an evaluator component the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) initiating by a defense component countermeasures designed to ward off the suspicious baseband activities, wherein the evaluator component transmits data on baseband activity and network parameters to a remote reporter entity which performs additional location-based analytics to determine the locations of hostile networks.

13. The method according to claim 12 , wherein the remote reporter entity sends out warnings and configuration changes to mobile devices in response to detected hostile network activity.

14. The method according to claim 13 , wherein the remote reporter entity sends out warnings about hostile network activity dedicated connected devices which are mounted as stationary sensors in sensitive areas for the primary purpose of informing users who do not have the baseband monitor component installed on their mobile devices about ongoing activities.

15. A mobile device comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising: a) a baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the mobile device, b) an application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) an evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) a defense component configured to initiate defense component countermeasures designed to ward off the suspicious baseband activities, wherein the countermeasures designed to ward off the suspicious baseband activities comprise one or more of resetting the baseband processor, resetting the phone or forcing all mobile device connections to be dropped.

16. A mobile device comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising: a) a baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the mobile device, b) an application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) an evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) a defense component configured to initiate defense component countermeasures designed to ward off the suspicious baseband activities, wherein the baseband monitor component is configured to implement one or more of the following: collecting information on power consumption of individual hardware components of the mobile device, collecting information on audio path configuration, collecting information on the response time to normal service requests from the application processor to the baseband processor, monitoring of communication interfaces or memory areas shared between the application processor and the baseband processor for atypical communication patterns, monitoring of communication interfaces and memory areas shared between the application processor and the baseband for patterns associated with exploit attempts, or collecting information obtained from the baseband processor's debugging output.

17. The mobile device according to claim 16 , wherein the monitoring of communication interfaces or memory areas shared between the application processor and the baseband processor for patterns associated with exploit attempts, comprises one or more of the following: Monitoring malformated messages or data structures or very large data blocks; Monitoring the usage of procedures, functions, features or messages not seen in normal operations; or Monitoring attempts to access memory areas not consistent with normal operations.

18. The mobile device according to claim 16 , wherein the collecting of information obtained from the baseband processor's debugging output comprises one or more of the following: timing and volume of voice call setup, timing and volume of data transmission, timing and volume of SMS message transmission, or timing and sequence of establishment of traffic channels.

19. A mobile device comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising: a) a baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the mobile device, b) an application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) an evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) a defense component configured to initiate defense component countermeasures designed to ward off the suspicious baseband activities, wherein the evaluator component is configured to flag the absence of standard A5/1; A5/2, or A5/3 link encryption on GSM or 3G/UMTS/W-CDMA mobile networks which leads the defense component to issue a warning to the mobile device's user that link encryption has been deactivated.

20. A mobile device comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising: a) a baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the mobile device, b) an application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) an evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) a defense component configured to initiate defense component countermeasures designed to ward off the suspicious baseband activities, wherein the evaluator component is configured to flag the presence of a rogue base station that does not belong to the legitimate mobile network and the defense component warns the user of the mobile device that a rogue base station has been detected and/or the defense component shuts down the baseband processor in order to prevent exploitation.

21. The mobile device according to claim 20 wherein the evaluator component is configured to flag the presence of a rogue base station that does not belong to the legitimate mobile network using one or more of the following: cell identification, distance, and signal strength, signal growth/attenuation, forced network change from 3G to 2G network, unusual changes in the list of neighboring cells, unusual configuration parameters of the mobile base station designed to make it appear more ‘attractive’ to the targeted mobile device(s), or network parameters not consistent with the mobile device's location and/or the currently selected mobile network operator.

22. A mobile device comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising: a) a baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the mobile device, b) an application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) an evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) a defense component configured to initiate defense component countermeasures designed to ward off the suspicious baseband activities wherein the evaluator component is configured to categorizes activities on the baseband processor in different classes ranging from normal/inconspicuous to highly suspicious.

23. The mobile device according to claim 22 , wherein the evaluator is configured to plot events in a diagram that shows baseband activity and of suspect baseband activities over time, wherein the diagram is displayed on either the mobile device's screen or an external display device.

24. The mobile device according to claim 23 , wherein the evaluator component is configured to compile the suspect baseband activities over time in one single integrated graphical representation of the overall threat level with respect to the mobile device's baseband processor or in the form of a ‘threat level thermometer’ that is displayed on either the mobile device's screen or an external display device.

25. A mobile device comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising: a) a baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the mobile device, b) an application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) an evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) a defense component configured to initiate defense component countermeasures designed to ward off the suspicious baseband activities, wherein the evaluator component is configured to record baseband activity in a log file that can be subsequently read and combined with log files from other mobile devices by a reporter component in order to arrive at an overview of the aggregated threat level to which multiple mobile devices are subject to.

26. A mobile device comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising: a) a baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the mobile device, b) an application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; c) an evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities, and d) a defense component configured to initiate defense component countermeasures designed to ward off the suspicious baseband activities, wherein the evaluator component is configured to transmit data on baseband activity and network parameters to a remote reporter entity which performs additional location-based analytics to determine the locations of hostile networks.

27. The mobile device according to claim 26 , wherein the remote reporter entity is configured to send out warnings and configuration changes to mobile devices in response to detected hostile network activity.

28. The mobile device according to claim 27 , wherein the remote reporter entity is configured to send out warnings about hostile network activity to dedicated connected devices which are mounted as stationary sensors in sensitive areas for the primary purpose of informing users who do not have the baseband monitor component installed on their mobile devices about ongoing suspicious activities.

29. A method of detecting an attack on a baseband processor of a mobile device comprising the baseband processor and an application processor, which may or may not be integrated in a single chip, comprising the steps of: a) monitoring by a baseband monitor component the behavior of the baseband processor by using features available on the mobile device; b) monitoring by an application monitor component the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; and c) correlating by an evaluator component the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities; wherein the monitoring by the baseband monitor component further comprises one or more of the following: collecting information on power consumption of individual hardware components of the mobile device, collecting information on audio path configuration, collecting information on the response time to normal service requests from the application processor to the baseband processor; monitoring of communication interfaces or memory areas shared between the application processor and the baseband processor for atypical communication patterns, monitoring of communication interfaces and memory areas shared between the application processor and the baseband for patterns associated with exploit attempts, or collecting information obtained from the baseband processor's debugging output.

30. A mobile device comprising a baseband processor and an application processor, which may or may not be integrated in a single chip, comprising: a) a baseband monitor component configured to monitor the behavior of the baseband processor by using features available on the mobile device; b) an application monitor component configured to monitor the behavior of the application processor by keeping a record of the parameters, execution time or execution duration of legitimate software or user activities on the application processor that constitute normal baseband activities by the user; and c) an evaluator component configured to correlate the baseband processor behavior with application processor behavior in order to distinguish between legitimate and suspicious baseband activities; wherein the baseband monitor component configured to implement one or more of the following: collecting information on power consumption of individual hardware components of the mobile device, collecting information on audio path configuration, collecting information on the response time to normal service requests from the application processor to the baseband processor; monitoring of communication interfaces or memory areas shared between the application processor and the baseband processor for atypical communication patterns, monitoring of communication interfaces and memory areas shared between the application processor and the baseband for patterns associated with exploit attempts, or collecting information obtained from the baseband processor's debugging output.